ipfw and carp problems

Ian Smith smithi at nimnet.asn.au
Wed Oct 29 09:55:22 UTC 2014 

In freebsd-questions Digest, Vol 543, Issue 2, Message: 1
On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt at ze.tum.de> wrote:
 > Hi,
 > 
 > I have a small problem with ipfw an carp.
 > 
 > i have two server with two carp ips and a firewall via ipfw.
 > 
 > the problem is tha ipfw via modul is default to deny. So when the carp
 > interfaces are initialized ipfw has no custom rules. Everything is
 > denied, even the carp packets. So every time I reboot one of the hosts
 > it comes up as master and after the firewall rules are initialized one
 > of the servers is demoted to backup, which one seams to be random.
 > 
 > My problem is that my setup need a new server do come up as backup
 > because is has to replicate the data from the running server before
 > being able to act as master. There could be data loss if a newly booted
 > server named master without prior replicating the data.
 > 
 > Is there a way to ensure that the firewall rules are up before the carp
 > interfaces are initialized or to load the ipfw module with default to
 > accept.

The canonical way was to build a custom kernel with ipfw included as per 
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including 
'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish 
this with a GENERIC (or other) kernel by adding to /boot/loader.conf:

  ipfw_load="YES"		# to load the ipfw module early

and adding to /etc/sysctl.conf

  net.inet.ip.fw.enable=0
  net.inet6.ip6.fw.enable=0	# if using ipv6

/etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d 
scripts including netif and later ipfw, which will then only enable the 
firewall after having loaded your ruleset.

I just tested this over ssh to a 9.3 GENERIC box not running ipfw:

root at x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \
	&& sysctl net.inet6.ip6.fw.enable=0
net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
root at x200:~/bin # ipfw show
65535 0 0 deny ip from any to any

which would have locked me out had it not worked :)

Of course you must accept that there is a vulnerable window between 
starting net interfaces (netif) and starting ipfw, however miniscule.

cheers, Ian

More information about the freebsd-questions mailing list